Delivering Policy in the Age of Open Source

This is an exciting time in the history of datacenter infrastructure. We are witnessing the collision of two major trends: the maturation of open source software and the redefinition of infrastructure policy.
The trend towards open source is self-evident. Platforms such as OpenStack and OpenDaylight are gaining huge developer mindshare as well as support and investment from major vendors. Even some newer technologies like Docker, which employs linux kernel containers, and Ceph, a software-based storage solution, offer promising paths in open source. Given the fundamental requirements of interoperability in architecturally diverse infrastructure environments, its no surprise that open source is gaining momentum.

The second trend around policy is a bit earlier in its evolution but equally disruptive. Today, there is a huge disconnect between how application developers think about their requirements and the languages and tools through which they are communicated to the infrastructure itself. For example, just to handle networking, a simple three tier app must be deconstructed into an array of VLANs, ACLs, and routes spread across a number of devices. Storage and compute present similar challenges as well. To simplify this interaction and create more scalable systems, we need to actually rethink how resources are requested and distributed between different components. This really boils down to shifting the abstraction model away from configuring individual devices to focus on separately capturing user intent, operational, infrastructure, and compliance requirements.

At Cisco, we’ve really embraced both of these trends. We are active contributors to over 100 open source projects and were founding members of OpenStack Neutron and OpenDaylight. We’ve also made open source a successful business practice by incorporating and integrating popular projects with our products. In parallel, Cisco has accumulated a lot of experience in describing policy through the work we’ve done with Cisco Unified Computing (UCS) and most recently with Cisco Application-Centric Infrastructure (ACI).

Building on this foundation, we see a unique opportunity to collaborate with the open source community to deliver a vision for policy-driven infrastructure. This will enhance the usability, scale, and interoperability of open source software and benefit the entire infrastructure ecosystem.

This vision includes two initiatives in the open source community:

Group-Based Policy: An information model designed to express applications’ resource requirements from the network through a hardware-independent, declarative language and leave a simple control and dataplane in place. This approach replaces traditional networking constructs like VLANs with new primitives such as “groups”, which model tiers or components of an application, and “contracts” describing relationships between them. Group-Based Policy will be available in the context of OpenStack Neutron as well as OpenDaylight through a plug in model that can support any software or hardware infrastructure.

OpFlex: A distributed framework of intelligent agents within each networking device designed to resolve policies. These agents would translate an abstract, hardware-independent policy taken from a logically central repository into device-specific features and capabilities.

Let’s look a bit more closely at each of these initiatives.

Group-Based Policy in Neutron / OpenStack

Cisco is collaborating with the OpenStack community and partners including Big Switch Networks, IBM, Juniper, Midokura, Nuage, One Convergence, and Red Hat to extend OpenStack Neutron’s networking model with new policy APIs. Unlike the current Neutron primitives, which rely on Layer 2 and Layer 3 behavior, these APIs offer users an intuitive but flexible mechanism for describing networking requirements using a language of groups and contracts. And of course, group-based APIs can support any network backend or even be rendered back to existing Neutron primitives. Anyone is welcome to participate in this effort. The easiest way to get involved in the community is to join the weekly IRC Meetings.
Here’s a demo of this in action. The group policy model – Short demo

Group-Based Policy in OpenDaylight

Cisco is also collaborating with the ODL community including Ericsson, HP, IBM, Midokura, One Convergence, Plexxi, and Red Hat to build a comprehensive set of Group-Based Policy APIs in OpenDaylight. The goal is to expose policy as a new northbound API that can access a range of southbound plugins, including OpenFlow and OpFlex. More information on the project, its contributors, and how to get involved can be found on the OpenDaylight wiki.

OpFlex

Cisco, Citrix, Red Hat, Intel, and Midokura have partnered to develop an open source OpFlex agent that can be embedded in various networking devices. The OpFlex protocol, recently proposed to the IETF, describes an architecture for distributed control through declarative policy.

OpFlex is also being driven as a project within OpenDaylight. The first target for this agent is Open vSwitch, where it runs on top of the lower level OpenFlow and OVSDB interfaces, but it will be transferrable to other open source and commercial platforms. The project includes a southbound plugin for OpenDaylight to provide an open source controller-side implementation of OpFlex as well.

Hopefully that gives you a good sense of how and why we are driving policy-based initiatives in the open source community. While our initial goal with this effort was simply to drive standards and interoperability, thanks in large part to the support we’ve found in the ecosystem, we’ve focused on a larger vision — making open source infrastructure more scalable, easier to automate, and simpler to use. We’d love to see you join us on this mission!

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.